Root Access: How AI is changing cybersecurity, according to ethical hacker, Philippe Caturegli | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker


I recently interviewed prominent security researcher and ethical hacker Philippe Caturegli, who has collaborated with well-known security figures such as Kevin Mitnick and Brian Krebs. The initial aim of the conversation was to get his take on the recent data leak at CISA — the U.S. government organization that works to help entities reduce their cybersecurity risk.

However, during our behind-the-scenes interview, it became clear that Caturegli had much more knowledge to share than could fit in a single article. A large portion of our previously unpublished conversation centered on how AI is changing cybersecurity, both on the offensive and defensive sides.

This edition of my Root Access column offers IT professionals insights from my multi-part conversation with Philippe Caturegli, with a focus on how AI is being used in penetration testing and how organizations need to shift their security thinking along with technological change.

READ MORE:
ISO 42001: Understanding AI governance for everyday people as It becomes practical work

AI hype vs. reality in cybersecurity

While AI is certainly changing security in many ways, Caturegli believes that you shouldn’t believe everything you hear from the AI labs. Recent discussions suggest that Anthropic’s Mythos and Fable models could be used as hacking tools that may pose a national security risk. However, he provided a more nuanced perspective that extends beyond the headlines: “Yes, Mythos and Fable are powerful, but a lot of it is marketing. (The AI labs) all want to have market share today, so they are trying to get the headline saying they have the most powerful model. A lot of it is being taken out of proportion by the marketing, but that’s what they want.”

At the same time, speaking about the current state of the impact of AI on hacking, ethical or otherwise, Caturegli says AI truly does allow him to do more with less, which benefits his clients because they get more value out of his services. Caturegli believes that penetration testers have always needed to “find the right balance on how much time you’re going to spend to give (clients) the most value for the money they are willing to pay.” Now, with the help of AI tools, he says, “you can go much deeper and find some more obscure vulnerabilities. Things that would have taken you weeks or months of looking at source code, now you can find instantly. So to me, it’s super fascinating, this AI stuff right now, because my limitation was the time that I had. Now, it’s extending the time, and I feel like I have 48 hours in one day instead of 24 hours. For curious people like me, it’s a blessing.”

AI for code analysis

To illustrate just how powerful AI can be in the right hands, Caturegli shared the following story about his work with a recurring client: “We did a pentest four years in a row, and the first year we managed to compromise it. We actually managed to download some of the source code of the application. So the next year, they said, all right now we’ll give you the source code of the application so you can go deeper in the test and we compromised it again.”

When they revisited the same code with the help of AI, they were able to find a problematic line of code that had been previously overlooked on multiple occasions: “I found this most obvious vulnerability that we missed for the past four years, and it was just in front of me. There was one way of bypassing the authentication for all users, and I swear I looked at the code like 100 times.

Getting technical, Caturegli described how a single character in the code made all the difference: “It was a loose comparison. When you compare in PHP, if you do an equal (==), it compares two different types of data. So if you have an array and a boolean, it will still do the comparison. You’re supposed to use three equal signs (===) in order to do the (strict) comparison by type… (the vulnerability) was comparing a boolean with a string, which is always true.Opens a new window